mirror of https://github.com/MISP/misp-objects
Compare commits
10 Commits
1abf2bf705
...
2061c353fe
Author | SHA1 | Date |
---|---|---|
Alexandre Dulaunoy | 2061c353fe | |
Alexandre Dulaunoy | 42b48439da | |
Alexandre Dulaunoy | 8aea824bbe | |
Alexandre Dulaunoy | 9f98d15a6f | |
Alexandre Dulaunoy | f3724ad19b | |
Alexandre Dulaunoy | 7f95d3290a | |
Alexandre Dulaunoy | 3d78e17c4b | |
Alexandre Dulaunoy | 16b354c04c | |
Alexandre Dulaunoy | 9f7cabf25c | |
menewol | 93b43a3191 |
|
@ -153,7 +153,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/credential](https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json) - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).
|
||||
- [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json) - A payment card like credit card, debit card or any similar cards which can be used for financial transactions.
|
||||
- [objects/crowdsec-ip-context](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json) - CrowdSec Threat Intelligence - IP CTI search.
|
||||
- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report.
|
||||
- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report.
|
||||
- [objects/crypto-material](https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json) - Cryptographic materials such as public or/and private keys.
|
||||
- [objects/cryptocurrency-transaction](https://github.com/MISP/misp-objects/blob/main/objects/cryptocurrency-transaction/definition.json) - An object to describe a cryptocurrency transaction.
|
||||
- [objects/cs-beacon-config](https://github.com/MISP/misp-objects/blob/main/objects/cs-beacon-config/definition.json) - Cobalt Strike Beacon Config.
|
||||
|
@ -169,7 +169,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain.
|
||||
- [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time.
|
||||
- [objects/domain-ip](https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json) - A domain/hostname and IP address seen as a tuple in a specific time frame.
|
||||
- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report.
|
||||
- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report.
|
||||
- [objects/elf](https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json) - Object describing a Executable and Linkable Format.
|
||||
- [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format.
|
||||
- [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information.
|
||||
|
@ -190,6 +190,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information.
|
||||
- [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm.
|
||||
- [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm.
|
||||
- [objects/flowintel-cm-task-note](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task-note/definition.json) - A task's note as defined by flowintel-cm.
|
||||
- [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
|
||||
- [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence.
|
||||
- [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document.
|
||||
|
@ -336,7 +337,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format.
|
||||
- [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml.
|
||||
- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents.
|
||||
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io.
|
||||
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io or others.
|
||||
- [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account.
|
||||
- [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment.
|
||||
- [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post.
|
||||
|
|
|
@ -1,11 +1,43 @@
|
|||
{
|
||||
"attributes": {
|
||||
"architecture": {
|
||||
"description": "Hardware architecture of the sample",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"asn": {
|
||||
"description": "Originating ASN for the CS Beacon Config",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "AS",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"beacon-host": {
|
||||
"description": "Beacon host IP",
|
||||
"misp-attribute": "ip-dst",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"beacon-type": {
|
||||
"description": "Beacon type used",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"binary-md5": {
|
||||
"description": "MD5 of the binary delivered",
|
||||
"misp-attribute": "md5",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"binary-sha1": {
|
||||
"description": "SHA1 of the binary delivered",
|
||||
"misp-attribute": "sha1",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"binary-sha256": {
|
||||
"description": "SHA256 of the binary delivered",
|
||||
"misp-attribute": "sha256",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"c2": {
|
||||
"categories": [
|
||||
"Network activity"
|
||||
|
@ -21,12 +53,67 @@
|
|||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"config-md5": {
|
||||
"description": "MD5 of the configuration",
|
||||
"misp-attribute": "md5",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"config-sha1": {
|
||||
"description": "SHA1 of the configuration",
|
||||
"misp-attribute": "sha1",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"config-sha256": {
|
||||
"description": "SHA256 of the configuration",
|
||||
"misp-attribute": "sha256",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"content-length": {
|
||||
"description": "Content length of the payload",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "size-in-bytes",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"content-type": {
|
||||
"description": "Content/type received",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"encoded-data": {
|
||||
"description": "Encoded payload data in Base64",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"encoded-length": {
|
||||
"description": "Length of the encoded data",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "size-in-bytes",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"geo": {
|
||||
"description": "Country location of the CS Beacon Config",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"http": {
|
||||
"description": "HTTP protocol used",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"http-code": {
|
||||
"description": "HTTP return code",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "integer",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"http-url": {
|
||||
"description": "HTTP url path of the beacon",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"ip": {
|
||||
"description": "IP of the C2",
|
||||
"misp-attribute": "ip-dst",
|
||||
|
@ -55,7 +142,7 @@
|
|||
"ui-priority": 1
|
||||
},
|
||||
"naics": {
|
||||
"description": "North American Industry Classification System Code",
|
||||
"description": "North American Industry Classification System Code (NAICS)",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"multiple": true,
|
||||
|
@ -112,5 +199,5 @@
|
|||
"watermark"
|
||||
],
|
||||
"uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
|
||||
"version": 4
|
||||
"version": 6
|
||||
}
|
|
@ -22,7 +22,8 @@
|
|||
"Discord",
|
||||
"Mumble",
|
||||
"Jabber",
|
||||
"Twitter"
|
||||
"Twitter",
|
||||
"Mattermost"
|
||||
],
|
||||
"ui-priority": 1
|
||||
},
|
||||
|
|
|
@ -1,7 +1,26 @@
|
|||
{
|
||||
"attributes": {
|
||||
"actor-geo-stats-30d": {
|
||||
"description": "Count of how many other victims were publicly leaked by the same ransomware actor in the country of the victim during the past 30 days",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"actor-total-stats-30d": {
|
||||
"description": "Count of how many other victims were publicly leaked by the same ransomware actor worldwide during the past 30 days",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"date": {
|
||||
"description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"date-published": {
|
||||
"description": "Initial published date of the post on the ransomware group blog.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
|
@ -10,25 +29,73 @@
|
|||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"entity-name": {
|
||||
"description": "Entity name of the victim referenced in the post of the ransomware group.",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"geo": {
|
||||
"description": "Geographic (main) location of the victim referenced in the post of the ransomware group.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"leak-site-url": {
|
||||
"description": "Link to the post.",
|
||||
"misp-attribute": "link",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"link": {
|
||||
"description": "Original URL location of the post.",
|
||||
"misp-attribute": "link",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"ransomware-group": {
|
||||
"description": "Ransomware group where the post is mentioned.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sector": {
|
||||
"description": "Sector (main) of the victim referenced in the post of the ransomware group.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"severity": {
|
||||
"description": "Severity of the post mentioned.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"sane_default": [
|
||||
"critical",
|
||||
"high",
|
||||
"medium",
|
||||
"low",
|
||||
"info"
|
||||
],
|
||||
"ui-priority": 1
|
||||
},
|
||||
"title": {
|
||||
"description": "Title of blog post.",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"website": {
|
||||
"description": "Website of the victim referenced in the post of the ransomware group.",
|
||||
"misp-attribute": "link",
|
||||
"ui-priority": 1
|
||||
}
|
||||
},
|
||||
"description": "Ransomware group post as monitored by ransomlook.io",
|
||||
"description": "Ransomware group post as monitored by ransomlook.io or others",
|
||||
"meta-category": "misc",
|
||||
"name": "ransomware-group-post",
|
||||
"requiredOneOf": [
|
||||
"title",
|
||||
"description",
|
||||
"link"
|
||||
"link",
|
||||
"website",
|
||||
"leak-site-url"
|
||||
],
|
||||
"uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39",
|
||||
"version": 1
|
||||
"version": 4
|
||||
}
|
Loading…
Reference in New Issue